Ubuntu
nagios2 package

XSS issues in Nagios CGI (CVE-2007-5803)

Bug #238516 reported by Thierry Carrez on 2008-06-09

256

	Status	Importance	Assigned to
nagios2 (Ubuntu)	Invalid	Undecided	Unassigned
Feisty	Won't Fix	Undecided	Unassigned
Gutsy	Won't Fix	Undecided	Unassigned
Hardy	Fix Released	Undecided	Thierry Carrez
nagios3 (Debian)	Fix Released	Unknown	debbugs #485439
nagios3 (Ubuntu)	Fix Released	Undecided	Unassigned
Feisty	Invalid	Undecided	Unassigned
Gutsy	Invalid	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: nagios2

Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360.

Note that this also affects nagios3 (before 3.0.2).
I'm working on a patch.

Related branches

lp:ubuntu/hardy-security/nagios2

CVE References

2007-5803

Revision history for this message

Thierry Carrez (ttx) wrote on 2008-06-09:

Debdiff for nagios2 Edit (40.4 KiB, text/plain)

Here is a backport (XSS fixes only) from Nagios 2.12.
For Nagios 3.x (Intrepid) we should probably upgrade to 3.0.2.

Bug Watch Updater (bug-watch-updater) on 2008-06-10

Changed in nagios3:
status:	Unknown → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2008-06-11

Changed in nagios3:
status:	Fix Committed → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2008-06-11:

nagios3 updated in Debian unstable to 3.0.2-1, waiting for autosync.

Revision history for this message

Thierry Carrez (ttx) wrote on 2008-06-12:

Auto-synced to 3.0.2-1

Changed in nagios3:
status:	New → Fix Released

Jamie Strandboge (jdstrand) on 2008-06-18

Changed in nagios3:
status:	New → Invalid
status:	New → Invalid
status:	New → Invalid
Changed in nagios2:
status:	New → Invalid
status:	New → In Progress
assignee:	nobody → tcarrez

Jamie Strandboge (jdstrand) on 2008-06-19

Changed in nagios2:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-06-19:

This bug was fixed in the package nagios2 - 2.11-1ubuntu1.2

---------------
nagios2 (2.11-1ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: fix XSS issues in CGI scripts thanks to Thierry Carrez
  * debian/rules: fix nagios2-common upgrade failure. Thanks to Thierry Carrez
  * References
    CVE-2007-5803
    LP: #238516
    LP: #220208

-- Jamie Strandboge <email address hidden> Thu, 19 Jun 2008 12:30:11 -0400

Changed in nagios2:
status:	Fix Committed → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-12-15:

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in nagios2:
status:	New → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in nagios2 (Ubuntu Gutsy):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Debdiff for nagios2 Edit

Add patch

Remote bug watches

debbugs #485439
[done grave security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntunagios2 package

XSS issues in Nagios CGI (CVE-2007-5803)

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
nagios2 package